Archive for April 13th, 2012

In another turn of interesting events, during the course of my monitoring of targeted attacks, specifically of advanced persistent threats, I came upon an email with a PDF attachment that had just a measly 4 out of 42 generic or heuristic detections.

I checked out the email and whoa! – it was an email from a trusted researcher colleague and friend in FireEye who was also monitoring these kinds of campaigns, or to put it accurately, looks like it.

Looks legit, right? However, my first-hand instinct told me that something was definitely amiss, and I zeroed in first in the email headers and I was expecting to find some spoofing details, which I did.

The Flashback malware discovered last week is raising doubts over the security of the Mac platform. The Trojan, detected by Trend Micro as OSX_FLASHBCK.AB, continues to be a hot topic in the computing industry and it opposes Apple’s own concept that their Mac OS are threat-proof. But this attack, along with an onslaught of malware and targeted attacks, put Apple’s self-proclaimed security into perspective.

Flashback is not only a piece of malware but a family of Trojans, and most recently, backdoors. It was first uncovered on October 2011 masquerading as a Flash Player installer. The next variants we have seen were dropped by malicious Java files that exploited Java vulnerabilities. Flashback variants typically modify the content of a web browser. They do this by exploiting Java vulnerabilities.

Specifically, OSX_FLASHBCK.AB comes from malicious Java files that exploit CVE-2012-0507. The said vulnerability has been patched for Windows environments as early as February this year. Apple released the same patch to its Mac users this month.

Based on Trend Micro’s Smart Protection Network data below, users from the United States are the most affected by OS_FLASHBCK.AB: